Public networks such as the Internet are commonly used to allow businesses and consumers to access and share information from a variety of sources. However, security is often a concern when accessing the Internet because there is a threat of malicious software being downloaded from a website or received in an e-mail which may contain viruses, Trojan horses, or other malicious executable code (collectively referred to as “malware”) that may infect computers inside the business or home.
An increasingly common technique used by malware authors is to create new threads of execution inside existing legitimate (i.e., trusted) processes running on a computer system. Known as code or process injection, the technique enables the new threads to protect and defend the rest of the malware installation by interfering with or recovering from any changes made by anti-malware products or tools.
Unfortunately, it is difficult for existing anti-malware products to identify such threads of execution accurately because the malicious code could be anywhere in the memory address space of any running process and the memory is not uniquely linked to a specific thread. In addition, even if the malicious code is detected by the anti-malware product, the process cannot always be killed as a whole. For example, if the running process is a user application process, killing it will cause the user to lose unsaved data. If the running process is a critical system process, killing it would cause the operating system to immediately crash.
This Background is provided to introduce a brief context for the Summary and Detailed Description that follow. This Background is not intended to be an aid in determining the scope of the claimed subject matter nor be viewed as limiting the claimed subject matter to implementations that solve any or all of the disadvantages or problems presented above.